Post AYMtfMTU8BiJ6URIye by redfire@mastodon.online
(DIR) More posts by redfire@mastodon.online
(DIR) Post #AYIgfLTmynK9CD2O4e by simon@fedi.simonwillison.net
2023-08-01T22:15:13Z
0 likes, 0 repeats
Question for Dependabot users: have you found a good pattern for landing multiple dependency bumps at once?I have continuous deployment configured but I don't want to ship the whole repo every time I land a Dependabot PR
(DIR) Post #AYIgrBN6O06ZK1YPYW by simon@fedi.simonwillison.net
2023-08-01T22:16:03Z
0 likes, 0 repeats
I guess the easiest fix is probably to have a "nodeploy" token I can add to the landed commits, such that I can skip shipping some of them and then ship the whole lot at the end
(DIR) Post #AYIhCwMirKLz9Ukeki by lewiscowles1986@phpc.social
2023-08-01T22:21:04Z
0 likes, 0 repeats
@simon ship on tag, not merge.It'll solve so many problems, and you can even dry-run a lot of it, on merge to pick up problems before release.Pretty sure you can auto-tag releases using a token, and scan to see who the committer is before doing that so dependabot is not auto-released.
(DIR) Post #AYIhPgtJhfpWvM4qEi by ryanwi@hachyderm.io
2023-08-01T22:21:35Z
0 likes, 0 repeats
@simon I’ve done some manual combining of PRs into a single PR. But, prefer to have each update deployed by itself for clear attribution of breaking changes, in the case that a dependabot passes CI but fails in prod. There is https://www.hrvey.com/blog/combine-dependabot-prs , but I haven’t tried it yet
(DIR) Post #AYIhcSsJ7vcDDZhDcW by pamelafox@fosstodon.org
2023-08-01T22:23:24Z
0 likes, 0 repeats
@simon I have same question. I should probably not deploy based on every PR to main and only deploy on some other signal, as you say. Currently I get deploy collisions on Monday mornings from dependabot merges.
(DIR) Post #AYIhpNXmG88KRrFdKK by radiac@mastodon.cloud
2023-08-01T22:26:27Z
0 likes, 0 repeats
@simon Merge into a branch individually, merge that into "main" in one go, and only do cd on "main"?Most of my projects have a "develop" default branch and dependabot PRs to that. Although I also only release on tags.
(DIR) Post #AYIizyqWWaXmzPdewS by jsm@mastodon.social
2023-08-01T22:41:06Z
0 likes, 0 repeats
@simon I’ve found grouped updates (beta) to be useful for this recently; where the pattern just matches a wildcard for the ecosystem (e.g Python dependencies): https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groupsnote, it doesn’t work for security updates (via Dependabot), which will continue to open singlec separate pull requests
(DIR) Post #AYIjP2Q0NcgvJBBQMC by ryanfb@digipres.club
2023-08-01T22:45:50Z
0 likes, 0 repeats
@simon my CD doesn’t deploy for each commit if there’s a running newer CI run, so as long as I merge faster than a test run takes to complete only the last merge will actually deploy
(DIR) Post #AYIozRmG4akW9ZlxIW by simon@fedi.simonwillison.net
2023-08-01T23:48:38Z
0 likes, 0 repeats
@ryanwi just tried that and it worked great! Thanks very much
(DIR) Post #AYItYaMiXCC0jzpwES by parkr@fosstodon.org
2023-08-02T00:39:26Z
0 likes, 0 repeats
@simon If you set the target-branch, they can be created against a non-deploying branch. Once they run CI on their own branch, you can merge them all into the target-branch. After doing so, you have a unified target-branch that you can merge into your deploying branch which kicks off your CD pipeline.https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch
(DIR) Post #AYIvUKjQuxZf0JYuLg by satya@mas.to
2023-08-02T01:00:40Z
0 likes, 0 repeats
@simon Group updates maybe another way? https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
(DIR) Post #AYJuCdjNdR0Fv7Uq0G by aimaz@mstdn.social
2023-08-02T12:21:18Z
0 likes, 0 repeats
@simon I had a GitHub action for merging PRs into a single PR based on some criteria.I think it was this one https://github.com/marketplace/actions/combine-prs
(DIR) Post #AYMpXfyAagROeDVOLo by simon@fedi.simonwillison.net
2023-08-03T22:13:31Z
0 likes, 0 repeats
Turns out Dependabot has a new "grouped updates" feature which solves this: https://github.blog/changelog/2023-06-30-grouped-version-updates-for-dependabot-public-beta/I implemented that here and it's addressed the problem perfectly: https://github.com/simonw/simonwillisonblog/blob/d88187ff23230e369d69eb461150f01fedab6a57/.github/dependabot.yml
(DIR) Post #AYMr0Z3JUFm1XyFZCa by jsm@mastodon.social
2023-08-03T22:30:00Z
0 likes, 0 repeats
@simon glad it worked out 🙌🏼
(DIR) Post #AYMrUzgX23lypl6WAq by anze3db@fosstodon.org
2023-08-03T22:35:23Z
0 likes, 0 repeats
@simon It's pretty cool. The only issue that I have is that it bumps versions both in requirements.txt and requirements.in files which means you can’t use it unless your project runs on the most up to date versions :(There is a workaround by ignoring those packages in dependabot config, but it's very inconvenient.
(DIR) Post #AYMtfMTU8BiJ6URIye by redfire@mastodon.online
2023-08-03T22:59:43Z
0 likes, 0 repeats
@simon I'm pretty sure Renovate has had this for a long time already.
(DIR) Post #AYMu9k4Sxr8myTDvXs by markwalker@fosstodon.org
2023-08-03T23:04:58Z
0 likes, 0 repeats
@simon This has me interested... So by grouping your python deps there you'll end up with 1 PR for all the pip dependencies each day, right?
(DIR) Post #AYN1kOjVxcDlBoqjj6 by simon@fedi.simonwillison.net
2023-08-04T00:30:16Z
0 likes, 0 repeats
@markwalker Yup, seems to work exactly like that
(DIR) Post #AYN24gXHTpuuCAnjJQ by pamelafox@fosstodon.org
2023-08-04T00:34:07Z
0 likes, 0 repeats
@simon now i need a dependabot to update all my dependabots
(DIR) Post #AYNIVnj0SRiXZrEmMi by simon@fedi.simonwillison.net
2023-08-04T03:38:04Z
0 likes, 0 repeats
I already had an existing TIL for Dependabot so I've updated it with the new recipe https://til.simonwillison.net/github/dependabot-python-setup